Apple’s MFi scheme for USB-C is a good thing

Apple appears poised to make it more difficult to use cheap USB-C cables with its devices, and while it may well make a few dollars more from the purported plan, there are also good reasons to put the system in place.

The claim is that Apple plans to replace Lightning ports and cables with USB-C in the iPhone 15, and when it does it will introduce a Made For iPhone (MFi) scheme for such products.  The idea is that consumers will be able to purchase cables and other devices in full confidence that they will be compatible with their iPhone.

According to some reports, the downside is that USB-C devices that aren’t licensed under the MFi scheme may end up being penalized — they might not work at all, may only support a limited charging speed, and could be unable to share data.

Apple critics will attack the company for greed, as MFi scheme members must pay for the privilege of the licensed status. That’s going to mean iPhone users won’t be able to use just any USB-C cable, and the ones they do get to use may cost more.

But I don’t think it’s just greed driving this decision. It’s the need to secure your iPhone and everything it contains. It also follows several attacks in which key industries have been targeted and systems infected using USB-C. Given Apple’s commitment to secure the supply chain, this is a problem that needs to be resolved, particularly as the company co-chairs the Cyber Readiness Institute.

The move may also reflect cross-industry preparations to bring the company in line with the EU Cyber Resilience Act, which will demand manufacturers take steps to secure all manner of electronic products before they’re sold.

One big limitation of USB-C is that the cables themselves can be compromised and used to steal data from devices, and such attacks can be carried out by anyone with physical possession of your device.

Malicious cables might contain GPS trackers, or make calls, or steal user names, passwords and data from connected devices while turning the device into an entry  route into the wider enterprise network.

There are literally dozens of ways USB can be used to compromise devices.

It’s amusing to consider the extent to which attacks of this nature have emerged from the work of national security agencies.

In the US, the National Security Agency (NSA) created its first malicious USB cable in 2008. Codenamed Cottonmouth the cables were sold for more than $1,000 each in batches of 50. Today, you can pick them up for a fraction of that cost online.

Of course, while the standard itself has evolved, the moral of that part of today’s tale is that nasty security threats tend to proliferate. The history of digital technology is littered with illustrations that show today’s government-only backdoor becomes tomorrow’s favorite attack route for any teen hacker working from their bedroom.

More recently, the resurgence of BadUSB attacks against key infrastructure providers in early 2022 — targets were tricked into connecting malware-laden USB drives to their machines — shows the lengths some take to penetrate enterprise endpoints.

Other attacks exploit public USB-C access points; think what could happen if hackers had control of the USB-C slot you connect your iPhone to during an airport stopover — the damage might be done before you even touch down. 

One reason computers are vulnerable to such attacks is that USB-C doesn’t have a mandatory authentication system. The USB Implementer’s Forum (on which Apple sits) does offer a voluntary authentication protocol for USB-C chargers, cables, devices, and power sources that will detect unfamiliar cables and verify the device is certified. But not everyone uses this.

We know that the increasingly security-focused Apple is aware of the risks of USB-C. We also know it is aware of the USB-C authentication standard. All the same, it does seem interesting that when that system was introduced, the press release explained:

“USB Type-C Authentication empowers host systems to protect against non-compliant USB chargers and to mitigate risks from malicious firmware/hardware in USB devices attempting to exploit a USB connection.”

At that time, some security researchers warned that this security tech could end up being used by manufacturers to require customers only use “approved” USB-C equipment.

That seems to be what Apple plans to do.

However, in the context of national security and with the knowledge that USB cables are being actively exploited to engage in attacks against national infrastructure, it makes sense to ensure the USB-C devices you or your employees connect to your iPhones aren’t going to steal your digital existence, even if they cost a few dollars more.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss